fix: validate ORIGIN env var at startup#15045
Conversation
- Add parse_origin() utility to validate and normalize origin URLs - Server now fails fast with clear error for invalid ORIGIN - Automatically normalize default ports and strip path/query/hash - Add tests for origin validation
🦋 Changeset detectedLatest commit: 52b796c The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Added the changeset |
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* checkpoint * donesies * fix: lockfile * update svelte-check * add .env for test app * fix flaky test * polyfill withResolvers
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Ben McCann <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Tiny detail to make it super clear the import is for remote functions.
Co-authored-by: Ben McCann <[email protected]>
* chore: Upgrade Playwright * checkpoint, not sure what else is going wrong * i have never been so happy to see a test failure * fix lockfile maybe * fix: remove playwright * more flaky tests * fix clicknav * fix another flaky test * improve further * another clicknav usage
…tejs#14725) * improvement: expose `waitUntil` also for serverless runtime & add documentation * changeset * revert previous changes and add docs * revert previous changes * change changeset --------- Co-authored-by: Tee Ming <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Tee Ming <[email protected]>
Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: teemingc <[email protected]> Co-authored-by: Ben McCann <[email protected]>
* docs: remove `$lib` path customization Updated documentation for $lib import alias in SvelteKit. * Update documentation/docs/98-reference/26-$lib.md Co-authored-by: Tee Ming <[email protected]> * chore: remove deprecated comment --------- Co-authored-by: Tee Ming <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
) * Add support for SearchParams.has(name, value) overload * generate changeset * Update .changeset/sharp-tires-work.md --------- Co-authored-by: Elliott Johnson <[email protected]> Co-authored-by: Elliott Johnson <[email protected]>
teemingc
changed the title
teemingc
changed the title
…eltejs#15153) * add fix and test format * add unit test * changeset * add test for inlining conditionally rendered component css * format * Apply suggestion from @teemingc * Apply suggestion from @teemingc * Update css.js * handle whitespace, add some additional test cases * add failing test for assets in static dir * bump svelte * this should just work * fix lockfile * ok its working now * last fix * format * push wip * tests are passing * split tests * rename parser to parse * hoist regexes * use test.each * add test for content and comments * rename assets to paths_assets * add tests for escaped characters * add test for encoded characters * safeguard against trailing slashes * decode vite asset filenames * a bit of clean up * oops * tippex comments * tippex strings * tippex wip * harden comment and escaped character tests * account for nested app dir * bump svelte * chore: fix tippex and add test cases --------- Co-authored-by: Elliott Johnson <[email protected]> Co-authored-by: Rich Harris <[email protected]>
Co-authored-by: Elliott Johnson <[email protected]> Co-authored-by: Rishab49 <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…in package.json of public packages (sveltejs#15217)
…sveltejs#15231) * fix(kit): properly handle percent-encoded anchors during prerendering * changelog * Apply suggestion from @GauBen * improve tests --------- Co-authored-by: Elliott Johnson <[email protected]>
* feat: export type Picture in enhanced-img
This type is part of public api, so it should be reexported.
Otherwise users have to explicitly add "vite-imagetools", or use hacks
like `typeof import('fake.jpg?enhanced').default`
This type is needed when using `import.meta.glob`, because by default it
is getting typed as `unknown`.
* Apply suggestion from @teemingc
Co-authored-by: Tee Ming <[email protected]>
* tweak
---------
Co-authored-by: Elliott Johnson <[email protected]>
Co-authored-by: Tee Ming <[email protected]>
# Conflicts: # packages/adapter-node/tests/utils.spec.js
elliott-with-the-longest-name-on-github
left a comment
elliott-with-the-longest-name-on-github
left a comment
There was a problem hiding this comment.
One more thing and I think we're good!
|
I just wanted to say thanks and sorry for the delay! We avoided reviewing this earlier so as not to conflict with getting some security fixes out: d9ae9b0#diff-216dce32a326b5829e531e0315d25a9e5feaab9175dc9a489d3a7d498afe63d4 You were very close to fixing the security issue without knowing it 😄 |
No worries at all, security comes first! That's pretty funny that I was close to fixing it without knowing 😄 Thanks for reviewing and for building such an amazing framework, really enjoying working with SvelteKit! |
|
Oh man the git history was a little wonky and I forgot to fix up the merge commit description 🤦🏼 |
Closes #14978
Please don't delete this checklist! Before submitting the PR, please make sure you do the following:
Tests
pnpm testand lint the project withpnpm lintandpnpm checkChangesets
pnpm changesetand following the prompts. Changesets that add features should beminorand those that fix bugs should bepatch. Please prefix changeset messages withfeat:,fix:, orchore:.Edits